Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gov't.-published List of Computer Security Holes

Posted by timothy on from the benefitting-the-commonwealth dept.

Arngautr writes "ScienceDaily.com reports that The U.S. government has created a 'comprehensive database of computer vulnerabilities,' The National Vulnerability Database. Updated daily, it currently includes almost 12,000 vulnerabilities. Should be a boon to IT professionals and script kiddies alike."

4 of 25 comments (clear)

  1. This might actually be useful by Anonymous Coward · · Score: 4, Interesting

    The first thing that caught me eye on there was "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges."

    And guess which version of Tar is GNU's latest.

    Anyway, I can't believe I'm saying this, but thanks US Gov!

    1. Re:This might actually be useful by MobyDisk · · Score: 2, Interesting
      Granted, it would be a nice feature, but why would you run tar as root to install something into a globally readable folder without full knowing what it is extracting? And why is it tar's job to tell you that this is a bad idea?
      which may allow local users or remote attackers to gain privileges."
      A better way to say that is that you are giving local users or remote attackers priveledges. This is very different from a buffer overflow.
  2. Re:Next step... by TheCreeep · · Score: 1, Interesting

    I ran a couple of searches search:
    "windows"
    There are 767 matching records.
    "linux"
    There are 1055 matching records.
    My guess is that they missed some bugs :/

  3. Re:Next step... by NemoX · · Score: 2, Interesting

    But, this compares a platform (consisting of many companies with many producst) to one company (with many products).

    Try the advanced search and compare O/S to O/S...which yields:

    Windows XP: 139
    SuSE Linux 9.3: 8